Beazley’s five tips to avoid being “harpooned” this tax season
Hackers are increasingly impersonating company executives in “harpooning” attacks aimed at accessing employee W-2 tax form information. The IRS this month issued a warning to be on the lookout for more of these hacking attempts in the current tax season. Beazley, a leading provider of data breach response insurance, offers these tips to help businesses protect against harpooning attacks:
- Trust, but verify – Any unusual requests to send funds or employee information should be confirmed through an alternate communication channel. Criminals can spoof an executive’s email address, and even their typical phrasing and communication patterns to bypass spam filters. Employees receiving unusual requests from executives, vendors or business partners should always follow up with a phone call to confirm. If it’s that important, they will be sure to pick up the phone.
- Check your website – Corporate websites often include contact information for top executives and customer-facing personnel, but too much contact information can help scammers target weak links. Conduct a website audit to ensure contact details for lower level employees, especially those in finance, are not available publicly. This can be a big help to thieves trying to target the employees most likely to have wire transfer capabilities.
- Watch out for “Out of Band” requests for W-2s – Requests for employee tax information from hackers are a growing threat. These harpooning attempts are the easiest to prevent. An “out of band” request is a request outside of the typical chain of command. There are very few legitimate circumstances when a CEO, CFO or other top executive would request employee W-2 information from a junior employee.
- Be aware of urgency – Scammers are likely to send requests conveying a great sense of urgency, hoping that an unsuspecting employee will send now, think later. The scammers will make the employee believe they will be reprimanded by a high level executive or headquarters if they do not act on the request immediately. Senior leadership should reinforce the importance of taking the necessary precautions to safeguard employee information and the company itself.
- Don’t enable “social sleuthing” – Some scammers will take advantage of executives who publicly post about their vacations or travel plans on social media, and then prey on lower-level employees by sending an email requesting highly sensitive employee information or a wire transfer to a third-party on their behalf. As a best practice, employees of all levels should be careful what they make public on social media.
Katherine Keefe, global head of BBR Services, said: “Hackers are on the grab right now for W-2s, social security numbers and other personal information in order to perpetrate tax fraud. These prevention steps are not difficult to implement, but they do require awareness and vigilance at all levels of an organization. In the case of harpooning for tax information, an ounce of prevention is certainly better than the pound of cure.”
Read the Beazley Breach Insights - January 2017 report.
About Beazley Breach Response (BBR)
Beazley has helped clients handle more than 5,000 data breaches since the launch of Beazley Breach Response in 2009 and is the only insurer with a dedicated in-house team focusing exclusively on helping clients handle data breaches. Beazley's BBR Services team coordinates the expert forensic, legal, notification and credit monitoring services that clients need to satisfy all legal requirements and maintain customer confidence. In addition to coordinating data breach response, BBR Services maintains and develops Beazley's suite of risk management services, designed to minimize the risk of a data breach occurring.